Thanks to complex perimeters, sophisticated application-level threats, and regulations that hold CEOs and CIOs accountable
for company data, security must now be regarded as more than a bunch of technologies tacked onto the network. “Companies are
realizing they must approach security at the enterprise level,” says Rich Caralli, senior member of the technical staff at
the CERT Coordination Center’s survivable enterprise management group. “Rather than chasing the latest threat, they’re working
on identifying and securing directly the core business processes and information assets essential to the company mission.”
In fact, security is moving so deeply into business processes and infrastructure that it may someday disappear as a category
unto itself. “As organizations develop more mature capabilities in business and IT processes, they’re seeing the significant
security benefits,” Caralli says. “They’re moving beyond just patch management, for example, to configuration management or
availability management.” No matter what you do in the enterprise, he adds, your function is likely to include information
security.
If anything has eliminated the effectiveness of traditional perimeter security, it’s the growth of anytime, anywhere access.
“Companies used to depend on employees carrying around a notebook with a VPN for remote access,” says John Pescatore, vice
president of Internet security at Gartner. “But with SSL VPNs, employees now access the network from home computers, other
companies’ computers, kiosks, Kinko’s, and cybercafés.”
Pescatore recounts that at a recent RSA conference, he stepped up to a kiosk that displayed a venture capitalist’s e-mail
revealing that company X was in for $2.1 million. Or, to take a less spectacular example, a dab of keyboard-logging spyware
on a system at FedEx Kinko’s can easily capture an employee’s password and send it to an attacker. And because telecommuters
often share their home computers, a little laxity by Junior as he downloads music on the same machine can breed infection,
thereby compromising the corporate network.
Enterprises have also wrestled with the security implications of outsourcing, connections with partners and suppliers, and
the growth of Web services. “They can’t just hope that the call center in India handling customer data or the company they
outsource payroll or sales-force automation to understands and meets their security requirements. They must take into account
the impact of an attack or infection on that company’s network,” Pescatore says. The same goes for connected partners and
suppliers.
“No doubt Web services and applications reduce the value of traditional firewalls, as companies have to expose data to the
world,” says Johannes Ullrich, CTO of The SANS Institute’s Internet Storm Center.
With more application-layer exploits sneaking past traditional firewalls as legitimate port 80 traffic, companies have turned
to application-savvy intrusion prevention solutions, as well as application layer and XML firewalls placed strategically to
protect specific sensitive data. In fact, these capabilities are increasingly merging with traditional firewall solutions.
“By 2006, when someone buys a firewall, they’ll also be buying intrusion prevention,” Pescatore says. He also sees XML and
Web application security merging with content-filtering products, as evidenced by F5 Networks’ purchase of Magnifire.
Web services and compliance requirements are also driving the need for end-to-end enterprise identity solutions and federated
identity standards that allow different organizations to set up trust relationships with one another. Identity management’s
centralized auditing function, in particular, is becoming an important compliance tool.
Traditional desktop and network management solutions have increasingly taken on patch management and other security functions.
Their hardware and software inventory capabilities have also become essential components of a viable security strategy, as
PC-based technologies and Web servers have been incorporated into a variety of devices.
“My wife worked for a company that sold oscilloscopes running Windows 2000,” SANS’ Ullrich says. “Did you patch your oscilloscope
today?” Switch vendors such as Cisco are working security into their mainstream network hardware. “Each port in your Cisco
switch is a perimeter that you can shut down when a security event happens,” Ullrich says.
Finally, companies are working security into the development and implementation process much earlier. “Outside code review
and vulnerability and penetration testing have become more widespread,” Ullrich says. Caralli agrees, “It’s much better to
head off the security threat much earlier in the process, before you inherit it in the operations phase.” The result is that
security is on its way to being part of everything else. “In the work we’re doing, we’re really trying to lose the term ‘security,’
” Ullrich says.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
